CentOS 6 simple server security configuration

Linux is an open system, you can find many off-the-shelf programs and tools on the Web, both for the convenience of users, but also easier for hackers, because they can easily find programs and tools into Linux system, or theft of important information on the Linux system. However, as long as we carefully set the Linux system, plus the necessary security measures, hackers will be inorganic. In General, Linux system security settings including the removal of unnecessary services, restrict remote access, hide important information and repair security vulnerabilities, security tools, as well as regular security checks and so on.

This article is the actual operation may refer to, does not involve principles such as IP spoofing, and security issues don’t count lines can be prevented, this is just a basic security reinforcing method on a Linux system, follow-up with new content added.

Note: back up all files before modifying

cp /etc/passwd{,.dist}

1. disable unused user

Note: not recommended to delete, when you require a user, his back could be in trouble. Can also be locked or user.

If you want to restore a service, you can perform the following actions:

service acpid start && chkconfig acpid on

You can also use the Setup utility to set
3. disable IPV6

IPv6 is designed to solve the problem of IPv4 address exhaustion, but our servers tend to use it instead of disabling IPv6 will not only speed up the network, will also contribute to reducing management overhead and increasing the level of security, follow these steps to completely disable IPv6 on a CentOS.
Prohibited to load the IPv6 module

System does not load the IPv6 related modules, which require changes in modprobe configuration file, for ease of management, we create a new configuration file/etc/modprobe.d/ipv6off.conf, which reads as follows

alias net-pf-10 off
options ipv6 disable=1

Disable IPv6-based networks, so that it will not be triggered to start:

If there is no output IPv6 module is disabled or enabled.
4. iptables rules

Linux firewalls to prohibit illegal access is enabled. Use iptable Rules to filter inbound, outbound, and forward packets. We can source and destination addresses to allow and deny access to specific UDP/TCP ports.

Set iptables rules refer to a blog post about a firewall set up an instance.
5. SSH security settings

If possible, first thing to do is to modify the default port 22 for SSH, change to larger ports such as 20002 will greatly improve safety, reduce the possibility of SSH hack to log on.

Download id_rsa private key file to the local (in order to be more easily identified, can be renamed to hostname_username_id_rsa), save it to a safe place. Username the user after login this host must use the private key, with the passphrase to login (username user password is no longer used)

We request the username the user (you can switch to a different user, particularly root) must log in with SSH key file, and other common login the user can directly. Therefore needed in the sshd_config file add:

Match User itsection
PasswordAuthentication no

Restart the sshd Service service sshd restart, a word of warning, this is the public key and the private key must be stored separately in another machine, missing public key on the server or the connection end is missing the private key (or key phrases), may lead to obtain root privileges can no longer login to the server!
7. reducing the history command history

Executed the command history recording more to some extent will bring easy to maintain, but also with security issues

vi /etc/profile

Find HISTSIZE=1000 to HISTSIZE=50, or clear history every time you exit,
8. special file permissions

Add cannot be changed to the following file properties in order to prevent unauthorized user access permissions

If you want to add or remove a user, you need to cancel this setting, users added after the removal is complete, and then perform the above operation, such as removal of read-only access to/etc/passwd. (Remember to reset the read-only)
9. Prevention of network attacks

Network attacks are not a few rows can be avoided, the following are some simple will minimize the possibility, increasing the difficulty of attacks but did not stop.
9.1 ban ping

Stop ping if no one can ping your system, natural increase security can be effective against ping floods. You can do this in/etc/rc.d/rc.local file to add the following line:

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Or use iptable ban Ping:

iptables -A INPUT -p icmp –icmp-type 0 -s 0/0 -j DROP

Ping other hosts are not allowed:

iptables -A OUTPUT -p icmp –icmp-type 8 -j DROP

9.2. to prevent IP spoofing

Edit the/etc/host.conf file and add the following lines to prevent IP spoofing attacks.

Order hosts,bind # order of name interpretation
Multi on # allowed host has multiple IP addresses
Nospoof on # banned IP address spoofing

9.3 preventing DoS attacks

For all system users to set resource limits can prevent a DoS type attack, such as the maximum number of processes and memory usage, and so on.
Add the following lines to/etc/security/limits.conf:

Nofile 64 indicates that open at the same time the maximum number of files a user is limited to 64

* Indicates all users who are logged on to the system, excluding the root

Check that the following line exists then you must edit the/etc/pam.d/login file.

session required pam_limits.so

Limits.conf parameter values need to be adjusted according to the specific circumstances.
10. fix known security vulnerabilities

Occasionally burst into destruction level of vulnerability in the Linux, like udev, heartbleed, ShellShock, Ghost, etc, if the server is exposed to network, must be repaired in a timely manner.
11. periodic log security

Move the log to a dedicated log server, this prevents intruders to easily change the local log. Common Linux and use the default log file is the following: